Skip to content

Config File

The tfsec config file can override various tfsec configurations.

The tfsec config file is a file in the .tfsec folder in the root check path named config.json or config.yml and is automatically loaded if it exists.

The config file can also be set with the --config-file option:

tfsec --config-file tfsec.yml

Syntax and Overrides

Severity Overrides

There are occasions where the default severity level for one of the built in checks is too severe or in some cases not strong enough.

The config file can be used to specify overrides for any check identifier to replace the result output.

{
  "severity_overrides": {
    "CUS002": "ERROR",
    "aws-s3-enable-versioning": "LOW"
  }
}

or in yaml

---
severity_overrides:
  CUS002: ERROR
  aws-s3-enable-versioning: HIGH

Excluding checks

There are moments where the list of checks you'd want to exclude becomes larger and larger. Rather than passing all the excluded checks via the command line, you can use the configuration entry exclude to list them all out.

{
  "exclude": ["CUS002", "aws-s3-enable-versioning"]
}

or in yaml

---
exclude:
  - CUS002
  - aws-s3-enable-versioning